Shorewall users - Mar 2002 - iptables 1.2.5 and shorewall 1.2.8?

Hey all-
	Trying to run sh 1.2.8 and iptables 1.2.5 on my linux 2.4.17 box. I
build the kernel from kernel.org sources, and then patched it with
iptables 1.2.5 by doing 
%make pending-patches KERNEL_DIR=/usr/src/linux
	I let it run and patched these:


Welcome to Rusty''s Patch-o-matic!

Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so I don''t recommend applying them all!
-------------------------------------------------------
Already applied: submitted/2.4.4
                 submitted/conntrack-errormsg
                 submitted/ip6tables-export-symbols
                 submitted/ip6t_mac-fix-ipv6
                 submitted/ipchains-redirect-fix
                 submitted/ip_nat_irc-srcaddr-fix
                 submitted/ipt_LOG
                 submitted/ipt_mac-fix
                 submitted/ipt_MIRROR-ttl
                 submitted/ipt_REJECT-checkentry
                 submitted/ipt_unclean-ecn
                 submitted/module-license
                 submitted/netlink-tcpdiag
                 submitted/sackperm
                 submitted/skb_clone_copy
                 submitted/tcp-MSS
                 submitted/TOS-oops-fix

Testing... mangle5hooks.patch ALREADY APPLIED (0 rejects out of 16
hunks).

Then after compiling my kernel and making all the modules, I ran
%make KERNEL_DIR=/usr/src/linux
%make install KERNEL_DIR=/usr/src/linux

Then I rebooted to my new kernel.

Now when shorewall starts/stops I get errors like these:

[root@acfw iptables-1.2.5]# /etc/init.d/shorewall stop  
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Stopping Shorewall...iptables: libiptc/libip4tc.c:384: do_check:
Assertion `h->info.valid_hooks == (1 << 0 | 1 << 3)''
failed.
Aborted


Anyone point me in the right direction? Sorry, I am bit fried at this
point in the night and I think that I am missing some important step in
the iptables patching (wasn''t this hard last time I did it).

Thanks,
Z

On Thursday 28 February 2002 04:56 pm, Zachariah Mully
wrote:
> Hey all-
> =09Trying to run sh 1.2.8 and iptables 1.2.5 on my linux 2.4.17 box. I
> build the kernel from kernel.org sources, and then patched it with
> iptables 1.2.5 by doing
> %make pending-patches KERNEL_DIR=3D/usr/src/linux
> =09I let it run and patched these:
>
>
> Welcome to Rusty''s Patch-o-matic!
>
> Each patch is a new feature: many have minimal impact, some do not.
> Almost every one has bugs, so I don''t recommend applying them all!
> -------------------------------------------------------
> Already applied: submitted/2.4.4
>                  submitted/conntrack-errormsg
>                  submitted/ip6tables-export-symbols
>                  submitted/ip6t_mac-fix-ipv6
>                  submitted/ipchains-redirect-fix
>                  submitted/ip_nat_irc-srcaddr-fix
>                  submitted/ipt_LOG
>                  submitted/ipt_mac-fix
>                  submitted/ipt_MIRROR-ttl
>                  submitted/ipt_REJECT-checkentry
>                  submitted/ipt_unclean-ecn
>                  submitted/module-license
>                  submitted/netlink-tcpdiag
>                  submitted/sackperm
>                  submitted/skb_clone_copy
>                  submitted/tcp-MSS
>                  submitted/TOS-oops-fix
>
> Testing... mangle5hooks.patch ALREADY APPLIED (0 rejects out of 16
> hunks).
>
> Then after compiling my kernel and making all the modules, I ran
> %make KERNEL_DIR=3D/usr/src/linux
> %make install KERNEL_DIR=3D/usr/src/linux
>
> Then I rebooted to my new kernel.
>
> Now when shorewall starts/stops I get errors like these:
>
> [root@acfw iptables-1.2.5]# /etc/init.d/shorewall stop
> Processing /etc/shorewall/shorewall.conf ...
> Processing /etc/shorewall/params ...
> Stopping Shorewall...iptables: libiptc/libip4tc.c:384: do_check:
> Assertion `h->info.valid_hooks =3D=3D (1 << 0 | 1 <<
3)'' failed.
> Aborted
>
>
> Anyone point me in the right direction? Sorry, I am bit fried at this
> point in the night and I think that I am missing some important step in
> the iptables patching (wasn''t this hard last time I did it).
Zach,

I''ll bet you got your iptables user-space components from RedHat
Rawhide.=20
RedHat built the tools with debugging enabled; unfortunately, there''s a
bg in=20
that debugging code in that it doesn''t recognize the new mangle chains
that=20
are included in the 1.2.5 kernel components.

-Tom
--=20
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net

Tom-
	Thanks for the help... The box is a RH7.2 install. I am a bit confused
though, as I thought that the iptables install both patched the kernel
and upgraded the userspace tools. What''s the best way to get around
this? Uninstall the Redhat iptables package (iptables-1.2.3-1) and
remake/repatch my kernel?

Thanks,
Zack

On Thu, 2002-02-28 at 20:10, Tom Eastep wrote:
> Zach,
> 
> I''ll bet you got your iptables user-space components from RedHat
Rawhide.
> RedHat built the tools with debugging enabled; unfortunately,
there''s a bg in
> that debugging code in that it doesn''t recognize the new mangle
chains that
> are included in the 1.2.5 kernel components.
> 
> -Tom
> --

On Friday 01 March 2002 08:05 am, Zachariah Mully wrote:
> Tom-
> =09Thanks for the help... The box is a RH7.2 install. I am a bit confused
> though, as I thought that the iptables install both patched the kernel
> and upgraded the userspace tools. What''s the best way to get
around
> this? Uninstall the Redhat iptables package (iptables-1.2.3-1) and
> remake/repatch my kernel?
Upgrade your iptables RPM to 1.2.5 -- you can find an RPM that works in=20
ftp://ftp.shorewall.net/pub/shorewall.

-Tom
--=20
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net